mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 23:50:03 -06:00
792adebfab
Because krb5 silently ignores unrecognized options, this is safe on all versions. It lands upstream in krb5-1.17; in Fedora, it was added in krb5-1.6-17. Upstream documentation can be found in-tree at https://github.com/krb5/krb5/blob/master/doc/admin/spake.rst Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
21 lines
512 B
Plaintext
21 lines
512 B
Plaintext
[kdcdefaults]
|
|
kdc_ports = 88
|
|
kdc_tcp_ports = 88
|
|
restrict_anonymous_to_tgt = true
|
|
spake_preauth_kdc_challenge = edwards25519
|
|
|
|
[realms]
|
|
$REALM = {
|
|
master_key_type = aes256-cts
|
|
max_life = 7d
|
|
max_renewable_life = 14d
|
|
acl_file = $KRB5KDC_KADM5_ACL
|
|
dict_file = $DICT_WORDS
|
|
default_principal_flags = +preauth
|
|
; admin_keytab = $KRB5KDC_KADM5_KEYTAB
|
|
pkinit_identity = FILE:$KDC_CERT,$KDC_KEY
|
|
pkinit_anchors = FILE:$KDC_CERT
|
|
pkinit_anchors = FILE:$CACERT_PEM
|
|
pkinit_pool = FILE:$CA_BUNDLE_PEM
|
|
}
|